Non-volatile memory devices are commonly used in computer systems to store information of critical importance, such as the machine start-up operations and the regular operations of the system peripheral devices. The computer start-up procedure routines (bootstrap) and input/output (I/O) device management routines are stored on a non-volatile memory known as BIOS memory. The content of BIOS memory is rarely altered, and is essential for future use.
In the past, it was very common to store the BIOS code on a Read Only Memory (ROM) or Erasable Programmable ROM (EPROM) device. The ROM device content is fixed once (at the factory) and cannot be altered thereafter. The EPROM may be programmed and erased but only after being removed from the system. If there were changes to be made to the BIOS code, the ROM device had to be removed and replaced with a new one (or an updated one), containing the new code. To enable updates, bug fixes, and storage of critical changing parameters, a non-volatile memory device enabling reprogram was required.
The Electrically Erasable Programmable ROM (EEPROM) is another non-volatile device that can be erased and reprogrammed on the printed circuit board (PCB). The EEPROM is erasable and programmable at the byte level. Its disadvantage is that it is relatively expensive, slow to access and limited in terms of memory size. Flash Memory (FM) devices are another kind of Electrically Erasable Programmable memory. Flash memories are accessible for reading at the byte level, and also may be programmed at the byte level. Erasure, however, may be performed only to entire sections of the FM device. These sections are usually referred to as blocks.
The erasure of FM blocks is a process of changing each bit in the erased section to a value of “1”. The writing or programming process includes changing the required bits in the written byte from a value of “1” to a value of “0”. If data is to be written to a location in an FM device, it should go through an erase operation first. Some memories will allow rewrite into a specific location, as long as bits are only changed from a value of “1” to a value of “0.” By applying the erase process to large sections of the FM device the cost of Flash Memory devices is reduced. FM devices are therefore more cost effective than EEPROM devices. FM devices differ in the size of their blocks. For a specific FM device, all blocks may be of equal size or varying sizes. FM devices have a protection mechanism used to prevent accidental writes. The protection mechanism is also intended to prevent malicious writes.
FM devices that are used for BIOS storage may be with blocks of equal size or of varying size. In most cases, one of the blocks is assigned as a boot-block. This block may be written or erased only in a unique operation mode, which may be accessed utilizing special controls in the hardware level. For example, a special control may comprise a write-enable pin, or the application of high voltage to one of the device's pins. Typically, systems are designed to disable such operation, and in most cases the removal of the device from the board is required or at least changing one of its jumpers to enable it. Furthermore, the boot-block usually holds enough information to allow programming of the FM device even when other parts of the flash are corrupted.
It should be noted that FM devices cannot replace Random Access Memory (RAM) devices in most cases. A RAM may be written in any order and as many times as required, while a flash memory requires erase operations and has only a limited number of erase-program cycles that it can tolerate before its reliability deteriorates. This number is referred to as FM endurance.
Protection of FM devices from erroneous writes is achieved by utilizing some or all of the following methods:
(1) The erase and program process requires a preamble procedure that rarely happens by accident.
(2) The device has a write enable input signal that may be tied to a Dip-Switch or a jumper so that write operations may be only manually enabled.
(3) Alternatively, programming the FM device may be controlled by a General Purpose I/O signal (GPIO) that will take a special sequence of operations to enable the write process.
All of the methods mentioned above provide reasonable protection against accidental writes. But, with the exception of the jumper/Dip-Switch option, they provide poor protection against malicious attacks that utilize knowledge of the system structure. Even the jumpers are vulnerable to attacks that alter the update information without the user's knowledge. These methods also have the disadvantage that they require opening the box by a skilled person. Jumpers usage also prevents the use of the FM device for storage of information while the system operates. An example of information that one may desire to store in the flash is Plug and Play (PnP) information used to speed up the boot process.
To facilitate BIOS upgrades, many computer boards are shipped with enabled BIOS programming voltage. This leaves the BIOS vulnerable. Allowing critical BIOS code to be altered by software exposes it to the hazard of malicious virus attacks and erroneous changes. In fact, some computer viruses are designed to overwrite a section of the FM BIOS, leaving the computer unbootable until a new BIOS is installed, and even worse, cause damage to other parts such as the hard disk drive's contents. In case of attack, an operation by a skilled technician is required to initiate a special recovery process.
The Intel 82802AB/AC (FWH) Firmware Hub is an example of a FM memory device utilized to store and manage the computer system and graphic BIOS. In this device, two input pins are dedicated for hardware write and erase protection of the FM device blocks. One input pin provides protection to the device's top boot-block, where code of critical importance may be stored. The other input pin provides protection to the other blocks of the device. In addition, a set of programmable registers, containing locking flags, is utilized to implement software protection for each of the FM device blocks. These registers are accessible through the system's standard memory space and therefore can be altered by a malicious program (e.g., a virus) operating in the machine memory.
Each FM block has its dedicated lock flags register, which is utilized to set access restrictions. The lock flags consist of a read-lock flag, which prevents a block read operation, a write-lock flag, which prevents the block erasure and program operations, and a lock-down flag which prevents any further changes to the read and write lock flags, until the device is reset or power-cycled. The hardware pins implement a robust block protection, but additional hardware is required to enable updating of the content of the FM block, and a technical skilled operator is required, when jumpers or dip switches are utilized for that purpose. In addition, the program, which is used to set the lock flags and update the FM, is operated by the system processor, and therefore can be cracked and exploited by virus attacks. Furthermore, when the lock-down flags are activated, the access to the blocks' lock flags is completely disabled until the system is reset or power-cycled.
The combination of hardware and software protection can be utilized to add more protection levels and access control to the device blocks. In the Intel's Advanced+ Boot Block FM device, for example, hardware and software protection methods are combined to implement a protection scheme, which is software and hardware dependent. In this method, the state of an FM block may be modified by software to a locked or unlocked state. In the locked state, the block is fully protected from alterations, and in the unlocked state, the program and erasure of blocks is enabled. In addition, each block state can be changed by software to a locked-down state, in which the protection operation is hardware dependent. In the lock down state, the block state can be toggled between the locked and the unlocked states only when a dedicated input pin is held in its HIGH state (“1”). When the input pin is held in its LOW state (“0”), all the locked-down blocks enter the locked state, whether previously locked or unlocked, and no further changes can be made until the input pin returns to its HIGH state. The dedicated input pin is expected to be connected to a system element that will set it to a value of “1” only when appropriate. In Personal Computers (PC) it is typical to connect the input pin to a general purpose output that is controlled by the main processor.
The Advanced+ Boot Block FM device further comprises a one hundred twenty eight (128) bit Protection Register (PR). In the PR, security and authenticity information may be stored. The PR can be permanently locked to prevent any future changes to its contents. However, only sixty four (64) bits of the PR are available for the customer. One 64 bit segment of the PR section is programmed and locked at the factory, and may not be altered. Still, all the FM device operations are handled by the host processor and performed via software, so that the same procedures that are utilized by the system to handle the FM device operations may be exploited for a malicious purpose.
In advanced implementations the FM device is utilized to hold both host BIOS code and data, and code and data that belong to an embedded controller (EC). An example of such a system is the National Semiconductor PC87570 device. This device allows the use of one flash memory device by both the BIOS and the EC when operated in its Shared BIOS mode of operation. In this scheme, after the embedded controller is reset it configures the interface to the flash memory and enables the host access to it. An attempt by the host to access before that point will be responded to by extending the transaction via a ready signal (IOCHRDY) until the embedded controller has completed the setting up of the interface. Once the host access to the flash is enabled, the host and the embedded controller's core will access the flash via the PC87570's internal core bus and its Bus Interface Unit (BIU).
The core bus is arbitrated on a “first come first served” basis with a single transfer limit, thus neither of the two controllers (Host and EC) may prevent the other from accessing the flash for an extended period due to extended use of the flash. One of the embedded controller's tasks is to check the contents of the FM using a program stored in an on-chip ROM device, and apply a check-sum test which is verified utilizing data stored in a known location in the flash. The controller checks the portion of the FM that includes its own code and data prior to any attempt to execute it. In case an error is detected a flash update scheme is performed.
The host processor (the “Host”) performs flash updates. Before an update starts, the Host software communicates with the EC to inform that an update start is desired. The EC will stop any access to the flash, for example by copying a small wait loop to RAM and executing it. Only after, that, the EC acknowledges the operation to the Host that the flash update may begin. The Host will update any portion of the flash as required via a sequence of read and write operations that are bridged to it through the PC87570 core bus. The only FM contents protection available at this stage is one that is provided by the FM device (e.g., boot-block protection). When the update is completed the Host notifies the EC and a soft reset operation (i.e., jump to address zero (“0”)) is enabled.
This scheme does not allow the EC any control over what information the Host may read from the flash, thus preventing holding the secured information in it. This prevents the ability to secure the update process.
All the methods described above have not yet provided satisfactory solutions to the problem of flash memory protection in personal computer implementations, in general, and in applications with shared memory schemes, in particular.